81982f45f90c69f5fbdf0bb34273a99c1a9d1d8b1b51a307cb4b3dfa829bae62

Analysis

Target

81982f45f90c69f5fbdf0bb34273a99c1a9d1d8b1b51a307cb4b3dfa829bae62.exe
Size

495KB
MD5

23060ccfc90d21321420bda396ce8f8e
SHA1

69239688b9089a3ba073bf88e0fc60c9bbe0efcc
SHA256

81982f45f90c69f5fbdf0bb34273a99c1a9d1d8b1b51a307cb4b3dfa829bae62
SHA512

a45c413e5cba8e09c7f418af7c74070178c94acea4433ce240c0f8f1d961eab65dd52288a9b7dfbb479080486ba847b661cbcfe39bc9b7a209c91599f6b9424d

Score

1^/10

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3736 powershell.exe
3736 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3736 powershell.exe

pid	process
3736	powershell.exe
3736	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3736	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

81982f45f90c69f5fbdf0bb34273a99c1a9d1d8b1b51a307cb4b3dfa829bae62.execmd.exe

description	pid	process	target process
PID 3808 wrote to memory of 3556	3808	81982f45f90c69f5fbdf0bb34273a99c1a9d1d8b1b51a307cb4b3dfa829bae62.exe	cmd.exe
PID 3808 wrote to memory of 3556	3808	81982f45f90c69f5fbdf0bb34273a99c1a9d1d8b1b51a307cb4b3dfa829bae62.exe	cmd.exe
PID 3808 wrote to memory of 3556	3808	81982f45f90c69f5fbdf0bb34273a99c1a9d1d8b1b51a307cb4b3dfa829bae62.exe	cmd.exe
PID 3556 wrote to memory of 3736	3556	cmd.exe	powershell.exe
PID 3556 wrote to memory of 3736	3556	cmd.exe	powershell.exe
PID 3556 wrote to memory of 3736	3556	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\81982f45f90c69f5fbdf0bb34273a99c1a9d1d8b1b51a307cb4b3dfa829bae62.exe
"C:\Users\Admin\AppData\Local\Temp\81982f45f90c69f5fbdf0bb34273a99c1a9d1d8b1b51a307cb4b3dfa829bae62.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\81982f45f90c69f5fbdf0bb34273a99c1a9d1d8b1b51a307cb4b3dfa829bae62.exe' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3556

memory/3556-135-0x0000000000000000-mapping.dmp

Download
memory/3736-142-0x0000000008060000-0x00000000086DA000-memory.dmp

Filesize
6.5MB

Download
memory/3736-141-0x0000000006800000-0x000000000681E000-memory.dmp

Filesize
120KB

Download
memory/3736-145-0x0000000006DD0000-0x0000000006DF2000-memory.dmp

Filesize
136KB

Download
memory/3736-144-0x0000000007A80000-0x0000000007B16000-memory.dmp

Filesize
600KB

Download
memory/3736-143-0x0000000006D00000-0x0000000006D1A000-memory.dmp

Filesize
104KB

Download
memory/3736-136-0x0000000000000000-mapping.dmp

Download
memory/3736-138-0x0000000005970000-0x0000000005F98000-memory.dmp

Filesize
6.2MB

Download
memory/3736-139-0x00000000058E0000-0x0000000005902000-memory.dmp

Filesize
136KB

Download
memory/3736-137-0x00000000051F0000-0x0000000005226000-memory.dmp

Filesize
216KB

Download
memory/3736-140-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/3808-132-0x0000000005670000-0x0000000005C14000-memory.dmp

Filesize
5.6MB

Download
memory/3808-130-0x0000000000250000-0x00000000002D2000-memory.dmp

Filesize
520KB

Download
memory/3808-131-0x0000000004D00000-0x0000000004D66000-memory.dmp

Filesize
408KB

Download
memory/3808-134-0x0000000004FF0000-0x0000000005082000-memory.dmp

Filesize
584KB

Download
memory/3808-133-0x0000000004F50000-0x0000000004FEC000-memory.dmp

Filesize
624KB

Download